This article was first published in the May 2019 Ireland edition of Accounting and Business magazine.

With some fanfare, and no little trepidation, the General Data Protection Regulation (GDPR) came into force across the EU just over a year ago. Heralded as the most significant overhaul of data protection in decades, GDPR has directly impacted on how every business processes and handles data, covering everything from cookie notifications to the reporting of data breaches. For many observers, the biggest question hanging over its launch was how companies, and SMEs in particular, would cope with the onerous set of new responsibilities it presented. Indeed, there were good reasons to suspect that many businesses were leaving preparations far too late. A Dublin Data Sec survey in February 2018 surprised few when it found that fewer than half of Irish businesses were ready for GDPR.

So it’s ironic that, a year later, what’s most noteworthy about GDPR is not the extent to which it has empowered the public, or penalised companies that run afoul of it (although it has done both), but how smoothly the implementation process has gone for the vast majority of companies. At the end of 2018, a Mazars/McCann Fitzgerald survey found that 88% of Irish businesses were confident they were interpreting their GDPR obligations correctly and 84% were satisfied they were materially compliant. Even more strikingly, these high levels of confidence weren’t as a result of an easy or inexpensive implementation process. In all, 68% of businesses described the GDPR process as challenging, and 61% said it cost more than expected. Yet there was a clear sense from the findings that the positives outweighed any negatives, with 82% of businesses taking the view that GDPR was beneficial for individuals. ‘Most organisations have found it to be a worthwhile, albeit at times painful, exercise in terms of information governance,’ says Paul Lavery, partner and head of technology and innovation at McCann FitzGerald.

Better understanding

Michelle Hourican FCCA is co-founder of Datatrails, a company that has worked closely with a wide cross-section of Irish firms as they set out to meet their GDPR requirements. She agrees that while few organisations would have actively wished for GDPR on their ‘to-do’ list, it has provided a unique opportunity to refresh and update their approach to data retention.

‘Those who have taken a positive approach to GDPR have seen a number of benefits and even new opportunities, some of them unintended,’ she observes. ‘In many cases, companies also got to understand their business a lot better.’ She gives the example of organisations that were storing large amounts of historic data, often decades old. ‘There is a cost involved in storage and, if any individual was to put in an access request, there would be a cost in terms of retrieving it. If there was no lawful basis for holding data under GDPR, then it was time to get rid of it.’

Hourican says that accountancy firms were, in general, ahead of the curve. ‘We, as accountants, are used to working in environments of regulation and confidentiality, and to managing risk, so for these firms it was more about getting a governance framework in place and following it rigidly,’ she says.

The relatively smooth start doesn’t mean organisations aren’t being challenged. A survey by law firm DLA Piper found there had been 59,430 data breach notifications reported across the EU in the eight months following the launch of GDPR; the Netherlands had the most breaches per capita, followed by Ireland and Denmark.

In January, the French regulator levied one of the largest fines to date, €50m, on Google for what it claimed were issues around disclosure and consent – a decision the company, which has its European headquarters in Dublin, says it will appeal. Given the large number of tech giants that have made Ireland their European hub, there is likely to be a particular focus on how the Irish Data Protection Commission responds to privacy complaints and data breach notifications. By the end of 2018, the commission had received over 1,900 complaints specifically related to GDPR and is currently undertaking 16 statutory inquiries involving tech giants such as Facebook, Twitter, Apple and LinkedIn.

Reflecting on a changed environment, Helen Dixon, the commissioner for data protection in Ireland, argues that GDPR is feeding into ‘a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data’.

It’s an observation that any company that believes it has made a good start to GDPR would do well to take on board. Hourican warns companies to actively guard against complacency. ‘We’ve had companies present us with certificates that say they are GDPR compliant. No piece of paper can protect you from human error, and data breaches caused by human error are the biggest ongoing risk for any business.’ Recently published statistics show 3.3 billion data records were compromised globally due to data breaches worldwide in the first half of 2018. Many can be the result of something as simple as sending a group email to the wrong group or leaving an unencrypted device with corporate information behind while travelling, Hourican explains.

‘The reality is that people need to be trained on their responsibilities on a regular basis. Everyone, at every level of an organisation, has a role to play in GDPR compliance.’

Donal Nugent, journalist